Table of Contents
MinIO supports using an OpenID Connect (OIDC) compatible IDentity Provider (IDP) such as Okta, KeyCloak, Dex, Google, or Facebook for external management of user identities. Configuring an external IDP enables Single-Sign On workflows, where applications authenticate against the external IDP before accessing MinIO.
MinIO by default denies access to all actions or resources not explicitly allowed by a user’s assigned or inherited policies. Users managed by an OIDC provider must specify the necessary policies as part of the user profile data. See Access Control for OIDC Managed Identities for more information.
See Configure MinIO for Authentication using OpenID for instructions on enabling external identity management using an OIDC compatible service.
MinIO Supports At Most One Configured IDentity Provider
Configuring an external IDP disables the MinIO internal IDP and prevents the configuration of any other external IDP.
MinIO uses Policy Based Access Control (PBAC) to define the actions and resources to which an authenticated user has access. MinIO supports creating and managing policies which an externally managed user can claim.
MinIO by default looks for a
policy claim and reads a list of one or more
policies to assign. MinIO attempts to match existing policies to those
specified in the JWT claim. If none of the specified policies exist on the MinIO
deployment, MinIO denies authorization for any and all operations issued
by that user. For example, consider a claim with the following key-value
The specified policy claim directs MinIO to attach the policies with names
read_logs to the
You can use a JWT Debugging tool to decode the returned JWT token and validate that the user attributes include the required claims. See RFC 7519: JWT Claim for more information on JWT claims. Defer to the documentation for your preferred OIDC provider for instructions on configuring user claims.
MinIO provides built-in policies for basic access
control. You can create new policies using the
mc admin policy command, or
by using the MinIO Console. MinIO does not support assigning groups to an OIDC managed identity. Specify
any and all policies to attach to the user as part of its JWT